Snort mailing list archives

Win.Malware.Disttrack

From: Y M <snort () outlook com>
Date: Sun, 19 Feb 2017 05:52:22 +0000

Hello,


The below signatures address the following hashes and the observed C&C traffic. Pcaps and samples should be publicly 
available. If not, please let me know.



- f4d18316e367a80e1005f38445421b1f
- 45b0e5a457222455384713905f886bd4
- ce25f1597836c28cf415394fb350ae93
- 1b5e33e5a244d2d67d7a09c4ccf16e56
- 03ea9457bf71d51d8109e737158be888
- 19cea065aa033f5bcfa94a583ae59c08
- ecfc0275c7a73a9c7775130ebca45b74
- 43fad2d62bc23ffdc6d301571135222c

These were part of the analysis covered here:  
https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Malware.Disttrack second stage payload download 
response"; flow:to_client,established; content:"Content-type|3A 20|text/html|0D 0A 0D 0A|"; file_data; 
content:"powershell.exe"; nocase; content:"hidden"; nocase; within:50; content:!"Content-Length"; nocase; 
content:!"Connection"; nocase; content:!"Location"; nocase; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:1000849; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Malware.Disttrack third stage payload download 
response"; flow:to_client,established; content:"Content-type|3A 20|application/octet-stream|0D 0A 0D 0A|"; file_data; 
content:"function Invoke-ReflectivePEInjection"; nocase; content:!"Content-Length"; nocase; content:!"Connection"; 
nocase; content:!"Location"; nocase; metadata:ruleset community, service http; classtype:trojan-activity; sid:1000850; 
rev:1;)

The below rules were simulated in the lab to detect the first stage payload documents in transit. Notes:

1. The first two rules are replicas of sid:26083 and sid:26084 respectively, with the modifications to look for .xlsm 
instead of .xlsx.
2. sid: 36611 triggered nicely on the suspected traffic.

alert tcp $HOME_NET any -> $EXTERNAL $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office Excel macro-enabled file download 
request"; flow:to_server,established; content:".xlsm"; fast_pattern:only; http_uri; 
pcre:"/\x2exlsm([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xlsm; metadata:service http; classtype:misc-activity; 
sid:1000851; rev:1;)

alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office Excel macro-enabled file 
attachment detected"; flow:to_client,established; content:".xlsm"; fast_pattern:only; content:"Content-Disposition: 
attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exlsm/i"; flowbits:set,file.xlsm; 
metadata:service imap, service pop3; classtype:misc-activity; sid:1000852; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IDENTITY Microsoft Office Excel macro-enabled file 
download response"; flow:to_client,established; content:"Content-Type|3A 
20|application/vnd.ms-excel.sheet.macroEnabled"; fast_pattern:only; http_header; file_data; content:"|50 4B 03 04|"; 
depth:4; flowbits:set,file.xlsm; metadata:service http; classtype:misc-activity; sid:1000853; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IDENTITY Microsoft Office OLE CF file download 
response"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; fast_pattern; 
flowbits:set,file.olecf; metadata:service http; classtype:misc-activity; sid:1000854; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Microsoft Office OLE CF file with PowerShell 
content download"; flow:to_client,established; flowbits:isset,file.olecf; file_data; content:"-window"; 
content:"hidden"; within:15; content:"powershell.exe"; metadata:service http; classtype:misc-activity; sid:1000855; 
rev:1;)

Thank you.
YM

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Win.Malware.Disttrack Y M (Feb 10)
- Re: Win.Malware.Disttrack Tyler Montier (Feb 10)
  - Re: Win.Malware.Disttrack Y M (Feb 10)
- <Possible follow-ups>
- Win.Malware.Disttrack Y M (Feb 18)
  - Re: Win.Malware.Disttrack ILLG, FREDERICK C (Feb 19)
- Re: Win.Malware.Disttrack Al Lewis (allewi) (Feb 19)